| Description:
|
Details
Win32.HLLW.Bezilom
This is a harmless, non-memory resident parasitic Win32 virus. The worm consists of three components, all of them are Windows PE EXE files written in Visual Basic:
Natasha.exe - 143K, virus dropper, was spammed to several email conferences in the middle of February 2002
Maria.doc.exe - 29K, this is the virus itself
MacroSoftBL.exe - 70K, this is a fake anti-virus program (decoy)
When the dropper is being executed, it drops two other components and runs them:
File1: "PKGF320.exe" in Windows TEMP directory.
File2: "MacroSoftBL.exe" in "Program FilesMacroSoftBL" directory, with Hidden and System attributes set on.
The Virus
When the virus copy is run, it moves itself to the Windows directory with the "Maria.doc.exe" name (with many spaces in the name between "doc" and "exe"). This file is then registered in the system registry auto-run key:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun StartUp = %WindowsDir%Maria.doc all .exe
with many spaces in the name between "doc" and "exe".
The virus then copies itself with a random name (like CMZYMZ.EXE, HUHHBG.EXE) to the root directories on the available drives, and creates in there a AUTOEXEC.BAT file with one instruction that runs the virus copy in the same directory. |
